- A company’s brain, decisions, rules, state, and often sensitive data, is ending up inside the memory of AI tools, almost always from vendors based in the United States.
- That brain is rented: opaque (you can’t see what it learned), governed by the vendor, and hosted where they decide. Convenient, but not yours.
- For many companies vendor memory is fine. It becomes a problem for regulated sectors, personal data, and when you must prove what the system knows and where the data lives.
- The answer isn’t giving up AI, it’s owning the context: files you govern, GDPR compliance, data at rest in the EU, self-hosting where needed.
The AI’s memory is convenient, but it lives in someone else’s house
As AI moves into the work, your company’s context, decisions made, rules, project state, sometimes customers’ personal data, settles into the memory of the tools you use. It’s convenient: the tool "remembers" and starts more informed each time. But that memory isn’t an archive you own. It’s opaque, because you can’t see precisely what it learned; it’s governed by the vendor, who decides how it works and what they do with it; and it’s hosted on their infrastructure, which in the vast majority of cases is based in the United States.
The point isn’t the quality of the product, which is often excellent. The point is where your company’s operating brain ends up and who controls it. Renting an office is one thing; having your most important documents live in a building you don’t hold the keys to, with access rules the landlord changes, is another. As long as everything’s fine you don’t notice. The day a client, an auditor, or a regulator asks you "where is the data and what did the system learn", the answer "I don’t know, it’s inside the vendor" doesn’t hold.
A company brain rented inside a vendor is convenient until you really need it. The day someone asks where the data lives, "it’s in their cloud" isn’t an answer.
For many it’s fine: for some it isn’t, and it’s a serious choice
It isn’t a holy war, and we’re not saying it to sell fear. For a small company, with non-sensitive context and no particular obligations, a serious vendor’s memory is a reasonable choice: convenient, well-kept, and the data is probably better off there than in a scattered chat. If your brain is made of style preferences and project notes, data sovereignty is a theoretical problem, and that’s perfectly fine.
It becomes concrete when the stakes and the rules change. If you operate in a regulated sector, if your company brain contains personal or health data, if a contract or a regulation requires you to know where the data resides and to prove what the system has learned, if you can’t afford the know-how to vanish when you switch tools, then ownership stops being a detail. It isn’t about where to keep notes: it’s about where to keep the company’s brain, with obligations you can’t delegate to a vendor.
Two questions separate those who own the brain from those who rent it
Owning the company brain isn’t a slogan: it’s measured on two axes. The first is where the data lives, inside a vendor’s infrastructure or in a place you control. The second is how it’s governed, automatically and opaquely or explicitly and auditably. The combination of the two tells you who really holds your company’s brain. A vendor’s memory sits in the convenient-but-rented quadrant; context on files you own is the only quadrant you govern.
This is the same question we put at the center of a dedicated piece: not whether you need a company brain, but who owns it. If you want the full picture, with Claude Tag and memory as a product, who owns the company brain explains it in full.
The answer isn’t giving up AI, it’s owning the context
Owning your company brain doesn’t mean going back to paper or saying no to AI: it means keeping the context on files you govern, readable by you and the AI, with data at rest in the EU and self-hosting of the models where the case requires it. It’s exactly the model we build our services on: fixed price, code owned by the client, GDPR compliance, data in Europe. Sovereignty isn’t a constraint that slows you down: it’s what lets you use AI even where the data is sensitive. The why and the practical boundaries are in our piece on AI governance for SMEs.
The technical how is less exotic than it sounds: you start from the same structured company brain files, just kept in a place you control. The practical method, with interviews, structure, and validation, is in how to build a company brain on files.
Data sovereignty, in practice
What does data sovereignty have to do with the company brain?
The company brain is the company’s operating brain: decisions, rules, state, and often sensitive data. When it lives inside an AI tool’s memory, that data is hosted where the vendor decides, almost always outside the EU, and governed by others. Data sovereignty is the question of where that brain resides and who controls it: for regulated sectors and personal data, it isn’t a technical detail.
Is it a problem that my company brain lives in a US vendor?
It depends on the stakes. For a small company with non-sensitive context, a serious vendor’s memory is a reasonable choice. It becomes a problem if you operate in a regulated sector, if the brain contains personal or health data, if a regulation or contract requires you to know where the data resides and what the system has learned, or if you can’t afford to lose the know-how by switching tools.
Does owning the company brain mean giving up AI?
No. It means keeping the context on files you govern, readable by you and the AI, rather than inside a vendor’s opaque memory. The AI keeps working on it, but the data lives where you decide, with GDPR compliance, data at rest in the EU, and self-hosting of the models where needed. Sovereignty is what lets you use AI even where the data is sensitive, not an obstacle.
How do you keep a company brain GDPR-compliant?
The context sits on structured files the company owns and governs, with data at rest in the EU and, on the most sensitive projects, models installed via self-hosting so the data doesn’t leave. It’s how we set up projects: code owned by the client, a DPA signed before starting, data in Europe. The technical starting point is the same company brain on files, just kept in a place you control.
Sources
- [1]cowork-os, open-source repository. github.com
This page is written by Raffaele Zarrelli, founder of Yempik, with editing done with Claude. The company brain and its ownership model are Yempik editorial models. The statements on GDPR, EU data, and self-hosting describe how Yempik sets up projects; they are not legal advice. The kits cited are our open-source cowork-os and code-os (MIT license).
Sensitive data or a regulated sector? We keep your brain in your house.
We start from your process and your obligations. We put decisions, rules, and state on files you own, governed, with data at rest in the EU and self-hosting where needed. Fixed price and timeline, the code is yours, the data doesn’t leave.